[
https://issues.apache.org/jira/browse/CXF-3100?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12927738#action_12927738
]
Willem Jiang commented on CXF-3100:
-----------------------------------
Hi Kevin,
Thanks for you contribution.
Can you submit a diff file instead the whole HttpConduit.java , so I can apply
the patch more easily.
Willem
> HTTPConduit doesn't handle cookies when retransmitting in case of "401
> Unauthorized" response
> ---------------------------------------------------------------------------------------------
>
> Key: CXF-3100
> URL: https://issues.apache.org/jira/browse/CXF-3100
> Project: CXF
> Issue Type: Bug
> Components: Transports
> Reporter: Kevin Linke
> Attachments: HTTPConduit.java
>
>
> Hello,
> we are consuming a web service that requires http basic authentication and
> tries to establish a cookie-based session with the client. So the response to
> the first request is always a "401 Unauthorized" response including a
> "Set-Cookie" header, even if the first request already contains the basic
> authentication header with the correct credentials. The request is only
> accepted if both the basic authentication header and the cookie header with
> the cookie from the "401 Unauthorized" response are set.
> Calling the web service using SoapUI works fine. You can see in the log the
> initial request, the 401 reponse including the "Set-Cookie" header and the
> retransmitted request with the corresponding cookie header set, resulting in
> a successful response. Everything as expected.
> When using CXF, there is an infinite loop (request -> 401 -> retransmit ->
> 401 and so on) until a protocol exception is thrown (too many
> retransmits/redirects). The reason is that the expected cookie header is not
> set when retransmitting the request, even if the parameter
> "BindingProvider.SESSION_MAINTAIN_PROPERTY" is set to true.
> Investigating the source code of the
> org.apache.cxf.transport.http.HTTPConduit class I found out that when
> retransmitting in case of 301,302 or 401 reponses the part of the code
> evaluating the "Set-Cookie" headers of the response is never reached, which
> is not correct in my opinion.
> I did some changes to the org.apache.cxf.transport.http.HTTPConduit class
> (see attachment) so that it works now with the specified scenario. Is it
> possible to fix this overall issue in a future release?
> Notes:
> - we are using Apache CXF 2.2.9
> - soap over http (with ssl) and http basic authentication
> - the modified org.apache.cxf.transport.http.HTTPConduit class is also based
> on the 2.2.9 sources
> - all changes of the org.apache.cxf.transport.http.HTTPConduit class are
> labeled "// KLI:"
> Thanks,
> Kevin
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
